[Samba] specify alternative port for samba internal dns server

John Yocum jtyocum at uw.edu
Thu Feb 26 17:16:25 MST 2015 

On 02/26/2015 04:10 PM, Ben Cohen wrote:
> Whoops - sorry for responding to you directly rather than via the list -- I
> only use gmail for extremely high-volume mailing lists, and usually that's
> just to skim-read them -- so I don't know the gmail web-ui very well (and
> it seems to change all the time) -- apologies.  (Also i have no idea how to
> not top-post with gmail ...  I'll figure that out for next time)
> 
> You seem to have strong opinions regarding the default port for the dns
> server - I disagree with you but I'm not going to try to change your deeply
> held beliefs.
> 
> While expressing your opinions earlier in the thread, the idea was raised
> that it is somehow _REQUIRED_ for clients to use the samba internal dns
> directly rather than receive dns responses via an intermediary dns server
> -- can someone confirm whether or not this is the case?
> 
> On Thu, Feb 26, 2015 at 4:00 PM, Rowland Penny <rowlandpenny at googlemail.com>
> wrote:
> 
>> On 26/02/15 23:39, Ben Cohen wrote:
>>
>>> Please stop making the assumption that I don't have different problems
>>> than you...
>>>
>>> I support IT environments that are connected via incredibly slow internet
>>> links -- user clients CANNOT use something other than my dns server as
>>> their dns resolver -- I have to implement logic which controls all internet
>>> access, including dns resolution, on a per user basis per-byte basis -- if
>>> I put another dns server in-between me and the network clients, I lose the
>>> information by which my dns forwarding-resolver can make the identify
>>> determination.  Perhaps you have some way of passing forward the identity
>>> information regarding which client is making the dns request in a way that
>>> my network-access-control appliance understands -- oh, right no you don't
>>> do you?
>>>
>>> In my testing my approach seems to work the way I want to do things --
>>> two servers, one with dnsmasq, one with samba internal dns.  Clients point
>>> at my dnsmasq, dnsmasq resolves ad domain via samba dns.  Is this not
>>> appropriate for some reason?  How does this go against the 'ad' way? As far
>>> as I can tell there is absolutely nothing wrong with this architecture ...
>>> why should the clients need to talk to the samba dns directly rather than
>>> via my intermediary -- is that actually required?  Its my impression that
>>> my campus network doesn't do this with normal active directory -- I believe
>>> they run BIND and queries for ad.foo.com <http://ad.foo.com> are
>>> resolved via authoritative AD dns servers running on windows server ...
>>> Isn't that the normal way?
>>>
>>> The reason I want to run the samba4 dns on a different port than the
>>> default is to avoid having to run an additional OS -- my environments are
>>> very expensive to put equipment in, reducing the hardware and OS count is
>>> desirable, particularly where there is not a good reason that something
>>> needs to have its own OS instance ...
>>>
>>> It seems you reference a straw-man desire to customize the ldap server
>>> port in order to evoke some history of problems surrounding people trying
>>> to use services that don't work with the AD model within samba.  In fact my
>>> GOAL is exactly the opposite -- I WANT to USE the samba integrated dns in
>>> order to avoid having any issues with the required set of magic AD dns
>>> behaviours -- rather than trying to hack those required dns behaviours into
>>> my existing dns configuration ...
>>>
>>> I appreciate your thoughts and if my suggested approach (with two
>>> servers) truly isn't going to work, it would be huge if you or someone else
>>> could tell me and give a lot insight why ... because my plan even with a
>>> *NO* on the ability to change the port that samba-dns listens on, is to use
>>> two servers as described above ...  If that's not gonna work for some
>>> reason it'd be awesome to find out now ...
>>>
>>> Thanks,
>>>
>>> On Thu, Feb 26, 2015 at 3:06 PM, Rowland Penny <
>>> rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> wrote:
>>>
>>>     On 26/02/15 22:58, Ben Cohen wrote:
>>>
>>>         My goal is for the samba dns server to be authoritative for
>>>         'ad.mydomain.com <http://ad.mydomain.com>
>>>         <http://ad.mydomain.com>' but not for mydomain.com
>>>         <http://mydomain.com> <http://mydomain.com>. The dns server
>>>         that the clients in my domain use is statically configured to
>>>         resolve all requests for ad.mydomain.com
>>>         <http://ad.mydomain.com> <http://ad.mydomain.com> via the
>>>         samba internal dns -- I believe this is exactly what is
>>>         required for samba to function ...  Is this incorrect somehow?
>>>
>>>
>>>     You should point your domain members to the DC, if the record the
>>>     client requires is inside the AD domain, the DC will return
>>>     answer, if it doesn't know, it will forward the request to
>>>     whatever you have set as the forwarder.
>>>
>>>
>>>         A whole bunch of other samba services can listen on other than
>>>         the default service port through configuration options ...
>>>  Why should the dns service uniquely deserve an all-caps *NO*
>>>         with regard to this configurability?
>>>
>>>
>>>     You could always try and alter the ldap port that samba4 listens
>>>     on, oh sorry, you cannot change that either can you.
>>>
>>>     Please stop trying to bend AD to your way of working.
>>>
>>>
>>>     Rowland
>>>     --     To unsubscribe from this list go to the following URL and read
>>> the
>>>     instructions: https://lists.samba.org/mailman/options/samba
>>>
>>>
>>>
>> Please stop sending emails directly to me, keep it on list.
>>
>> If you are struggling with resources, you could run another OS inside a VM
>> and point the samba forwarder to a DNS server running on the OS in the VM.
>>
>> Would you try and circumvent the way a windows server works, I do not
>> think so and as samba4 AD works exactly the same as windows AD, you
>> shouldn't try to change the way it works.
>>
>> Note that this is the last I will have to say on this subject.
>>
>>
>> Rowland
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>

Your clients don't have to query your Samba DC's for DNS directly.
Though, it does make troubleshooting/resolving issues much simpler.

One thought would be, replace dnsmasq with BIND, and use BIND to do
Samba's DNS along with your other DNS needs.
-- 
John Yocum, Systems Administrator, DEOHS

More information about the samba mailing list